Fake Microsoft Defender Antivirus Renewal Scam
Scammers send fake emails claiming a Microsoft Defender or Windows security subscription is about to auto-renew at an inflated price, tricking victims into calling a fraudulent refund number that leads to account takeover.
Part of: Antivirus Auto-Renewal Overcharge Scams
Last reviewed: 7 June 2026
Microsoft Defender, built into every modern Windows installation, is a genuine, free security product. This creates an unusual opportunity for scammers: by pretending Defender has an annual paid subscription — which it does not — they can send 'renewal invoices' to Windows users who may be uncertain about what security software they are running.
The scam typically presents as an invoice for a large sum (often in the hundreds of dollars or pounds) claiming to be for a 'Microsoft Defender Annual Security Subscription' or 'Windows Security Premium Renewal'. Recipients who do not recall subscribing — because they never did — call the cancellation number in a panic.
The phone call connects them to a fraudulent call centre that offers a refund but ultimately facilitates a different scam: remote account access, banking credential theft, or a classic overpayment fraud.
How this scam works on the Microsoft brand
Microsoft Defender is included with Windows at no additional cost. Microsoft does not send invoices for Defender renewals, nor does it charge an annual subscription for built-in Windows security features. Legitimate Microsoft security products with paid subscriptions (such as Microsoft 365 Family or Microsoft Defender for Business) are managed at account.microsoft.com or admin.microsoft.com.
The fake invoice arrives by email and is formatted to look like a legitimate receipt — often mimicking the style of real Microsoft purchase confirmation emails, complete with a fake transaction number. The email states the recipient will be charged unless they call within a short window to cancel. The phone number connects to scammers.
On the call, the 'agent' offers a refund but requests remote access to process it. Once inside the victim's computer, they navigate to the victim's bank website, use developer tools to alter what appears on screen showing a large refund, then claim the overpayment must be returned via gift cards or wire transfer.
Common red flags
- An invoice for a Microsoft Defender 'annual subscription' — Microsoft Defender is free and does not have paid annual subscriptions
- The email sender is not from a @microsoft.com domain
- A cancellation or refund number is displayed prominently — Microsoft does not handle billing cancellations through a number in an email
- The invoice amount is unusually high and the deadline is today or tomorrow
- You do not recall purchasing the product listed on the invoice
- The caller requests remote access to process your refund
How to protect yourself
- Check your actual Microsoft account subscriptions at account.microsoft.com — only subscriptions that appear there are genuine
- Do not call phone numbers printed in unsolicited emails about Microsoft renewals
- Remember that Microsoft Defender is free and built into Windows — no annual subscription is required
- If you receive an invoice for software you do not recall buying, verify it by logging into the Microsoft account associated with your email
How to report it
- Report tech support and billing scams to Microsoft at microsoft.com/reportascam
- Forward the phishing email to [email protected]
- File a report with the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If money was transferred, contact your bank immediately and report to the FBI's IC3 at ic3.gov (US)
Frequently asked questions
Does Microsoft Defender require a paid subscription?
No. Microsoft Defender Antivirus is included with Windows 10 and Windows 11 at no charge and does not require an annual renewal payment. Any email claiming to invoice you for a Defender subscription is fraudulent.
How does the 'overpayment refund' part of this scam work?
Once a scammer has remote access to your computer, they use browser developer tools to visually alter your banking page to appear to show a larger deposit than was actually made. They then insist you owe the difference and must send it immediately by gift card or wire transfer.
Where can I check what Microsoft subscriptions I actually have?
Log in to account.microsoft.com using your Microsoft account credentials. Under 'Services and subscriptions', you will see a complete list of any active paid Microsoft subscriptions.